Common GPG Functionality

The GNU Privacy Guard (GPG) is a command line tool used for encrypting documents and text available on all platforms. It is an implementation of a standard known as Pretty Good Privacy (PGP).

Installing GPG

On Mac, gnupg can be installed via Brew. gpg can be installed using apt, yum, pacman and so forth on Linux.

Generating a New Keypair and Revocation Certificate

gpg --full-generate-key

Use gpg --full-generate-key for the full available options or gpg --gen-key to use the default options.

In both cases the user must provide a name, email, and password, but using the --full-generate-key directive will enable the user to specify the algorithm, keysize, and expiration date.

After generating a key pair, immediately generate a revocation certificate.

gpg --output revoke.asc --gen-revoke <ID>

Location and Listing of Keypairs

Once the first key is generated, the gpg tool will create a directory in the user's home, ~/.gnupg where the key will live.

You can list all keypairs by using the command,

gpg --list-secret-keys

Exporting Keys

After listing the keys using the gpg --list-secret-keys command, you can export your public key as a binary file.

gpg --output filename.gpg --export <ID/EMAIL>

where <ID/EMAIL> is either the id displayed when we list the keys or the email associated with the key.

To export it in ASCII-armored format, we can use the --armor directive, however we need to make sure that we route the output to a file since it will print to stdout otherwise.

gpg --armor --export <ID> >

Importing Keys

gpg --import daedelus.gpg

Encrypting and Decrypting Documents

To encrypt a document, use the following command.

gpg --output <OUTPUTFILE> --encrypt --recipient <EMAIL> <FILENAME>

This will encrypt <FILENAME> and produce a file <OUTPUTFILE>. In order to decrypt it, recipient with <EMAIL> must be imported into the local keyring.

To decrypt a document, use the following command.

gpg --output <OUTPUTFILE> --decrypt <FILENAME>

where <OUTPUTFILE> is the cleartext filename and <FILENAME> is the encrypted document. As long as the original recipient email public key is in your local key ring, it will automatically use that key.